Search This Blog

Saturday, July 02, 2005

Re: Firewall-troubleshooting

On 3 Jul 2005, KC wrote:
> Daniel Pittman wrote:
>> On 3 Jul 2005, KC wrote:
>>
>>> I need help understanding what goes wrong in this script. I cannot ping
>>> anyone and cannot resolve as well. In fact I believe the only thing I can
>>> get is an ip address from my isp's dhcp server.

[...]

>> I can't spot anything wrong with your script, which means that it isn't
>> an obvious stupid mistake (congratulations ;). You have some work to
>> do, I guess. :)

[...]

>> Finally, that is a pretty complex firewall script, and obviously
>> somewhat hard to maintain. Maybe you would get better value for your
>> time by using an existing firewall helper like 'firehol', or something,
>> than re-doing the work that went into the existing tools?
>>
>> Of course, if your aim is to learn iptables rather than just get it
>> working, that loses. ;)
>
> Yes the script is kind of long and tedious in its respects.

Well, a decent firewall is when you express it in iptables -- the
assembly language of firewalls. ;)

[...]

> I am trying to block out everything accept what i need.

That is a good policy.

> I think that my firewall optimization is kind of crap but I am in
> process of working on that. The other thing that I just noticed is
> that my order for rules is not very properly laid out. I should have
> had the most active rules up ontop right before all the drop rules.

So-so. On most of the systems that people use for firewalling these
days, the performance cost of the various tests is next to invisible,
because the machines are grossly overpowered.

For example, the smallest thing I look after that does firewalling is my
P3-550 at home, which replaced a Pentium-233, both of which could have
handled vastly more firewall rules than I ever had, despite a much more
complex setup than your script manages.

So, unless you actually notice a performance problem you are probably
wasting your time trying to "micro-optimize" your firewall that way, in
my opinion.

[...]

> I tried some automated firewall scripting programs, and just feel that
> a lot of them are just designed to save time for the lazy, and then
> you waste a lot of time trying to correct the script.

Sure, a lot of them suck. In fact, most of them *really* suck, in my
opinion.

I found that 'firehol' was quite a surprise to me -- not only didn't it
suck, it actually improved my hand-written firewall somewhat.

Unlike everything else, it doesn't tell you to fill in three values in a
configuration file and expect to have a full firewall. All it does is
help take the tedious bits out of writing an iptables firewall.

You can also use, well, anything iptables-ish if you want. I would
suggest giving it a whirl at some point, just because it doesn't suck
the same way all the other tools do.

> These programs have their users I am just not one of them. I have also
> learned that iptables have some very interesting and helpful modules.
> If someone knows anything about that, then I would appreciate if they
> let me know where I could get them.

Well, if you want the latest patch-o-matic stuff, netfilter.org will
help you. If you have specific questions, just ask. :)

Daniel

--
...I've seen things you people wouldn't believe. Sun monitors on fire off the
side of the multimedia lab. I've seen NTU lights glitter in the dark near the
Mail Gate. All these things will be lost in time, like the root partition last
week. Time to die...
-- Peter Gutmann, _alt.sysadmin.recovery_

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: